<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>互联网边界打点 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/53.8013048c.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" aria-current="page" title="互联网边界打点" class="active sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" title="构建通道漫游内网" class="sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" title="域内主机存活探测" class="sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" title="权限提升" class="sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" title="权限维持" class="sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" title="内网横向移动技巧" class="sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="边界资产收集">边界资产收集 <a href="#边界资产收集" class="header-anchor">#</a></h2> <p><img src="/images/hw/infoscan.png" alt=""></p> <h3 id="whois-聚合数据">Whois 聚合数据 <a href="#whois-聚合数据" class="header-anchor">#</a></h3> <p>微步在线：https://x.threatbook.cn/</p> <h3 id="集团结构">集团结构 <a href="#集团结构" class="header-anchor">#</a></h3> <p>天眼查、爱企查等，查询目标企业的组织架构，一级单位、二级单位（对外投资）。</p> <p>根据目标的组织架构，收集目标的<code>一级域名</code>（ICP备案反查、whois反查）和<code>邮箱资产</code></p> <h3 id="子域名">子域名 <a href="#子域名" class="header-anchor">#</a></h3> <p><strong>在线收集</strong></p> <p>FOFA: <code>domain=&quot;baidu.com&quot;</code></p> <p>Rapiddns： https://rapiddns.io/subdomain</p> <p>字典爆破：https://phpinfo.me/domain/</p> <h3 id="cdn绕过-ip资产收集">CDN绕过（IP资产收集） <a href="#cdn绕过-ip资产收集" class="header-anchor">#</a></h3> <p><strong>确认CDN</strong></p> <p>多地ping： https://tools.ipip.net/httphead.php</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">nslookup</span> -qt<span class="token operator">=</span>A xxx.com
<span class="token comment">#带cache或者其它别名还有返回多IP的都是有CDN</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>绕过CDN</strong></p> <p>FOFA：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token assign-left variable">title</span><span class="token operator">=</span><span class="token string">&quot;网站名称&quot;</span>
<span class="token assign-left variable">cert</span><span class="token operator">=</span><span class="token string">&quot;一级域名&quot;</span>
<span class="token assign-left variable">icon_hash</span><span class="token operator">=</span><span class="token string">&quot;251555155&quot;</span>

<span class="token assign-left variable">asn</span><span class="token operator">=</span><span class="token string">&quot;12345&quot;</span>
<span class="token comment">#如果找到了一个非IDC资产的目标IP，可以配合ASN码查找IP资产</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>注册查看邮件原文</p> <p>通过<code>ping</code>查找到的子域名辅助查找真实IP</p> <h3 id="c段-旁站">C段/旁站 <a href="#c段-旁站" class="header-anchor">#</a></h3> <p><strong>C段（会有较大偏差）</strong></p> <p>FOFA直接搜（<code>ip=&quot;x.x.x.x/24&quot;</code>）</p> <p><strong>旁站查询（IP反查域名）</strong></p> <p>FOFA搜IP查域名：<code>ip=&quot;x.x.x.x&quot;</code></p> <p>https://site.ip138.com/</p> <p>https://rapiddns.io/sameip11</p> <p>https://tools.ipip.net/ipdomain.php</p> <h3 id="src-漏洞库">SRC 漏洞库 <a href="#src-漏洞库" class="header-anchor">#</a></h3> <p>拿到子域的一些资产可以查找已公开漏洞</p> <p>乌云镜像：https://wooyun.x10sec.org/</p> <h3 id="web指纹-网站架构">Web指纹（网站架构） <a href="#web指纹-网站架构" class="header-anchor">#</a></h3> <p>OA协同办公、服务器中间件、CMS框架、脚本语言</p> <p>相关工具：wappalyzer</p> <p>通过识别到的指纹信息搜索相关应用是否存在漏洞</p> <h3 id="目录扫描">目录扫描 <a href="#目录扫描" class="header-anchor">#</a></h3> <p>网站通过Robots协议告诉搜索引擎哪些页面可以抓取，哪些页面不能抓取，可能存在一些敏感路径</p> <p>可以发现备份文件、测试文件、源码泄露、网站后台...</p> <p>https://github.com/maurosoria/dirsearch</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python3 dirsearch.py -u <span class="token operator">&lt;</span>URL<span class="token operator">&gt;</span> -e *

--http-proxy<span class="token operator">=</span>localhost:1080		<span class="token comment">#使用代理（也可以在配置文件设置）</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h3 id="js敏感api接口">JS敏感API接口 <a href="#js敏感api接口" class="header-anchor">#</a></h3> <p>发现未授权访问的文件上传等接口</p> <p>1、jsfinder（发现API接口）：https://github.com/Threezh1/JSFinder</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python JSFinder.py -d -u http://www.mi.com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>2、网页源码搜索<code>location.href</code>跳转</p> <h3 id="端口服务扫描">端口服务扫描 <a href="#端口服务扫描" class="header-anchor">#</a></h3> <p>对`常见高危端口进行扫描</p> <p><strong>常见端口服务渗透</strong></p> <table><thead><tr><th style="text-align:left;">端口号</th> <th style="text-align:left;">端口说明</th> <th style="text-align:left;">渗透思路</th></tr></thead> <tbody><tr><td style="text-align:left;">21/69</td> <td style="text-align:left;">FTP/TFTP：文件传输协议</td> <td style="text-align:left;">爆破、匿名访问</td></tr> <tr><td style="text-align:left;">22</td> <td style="text-align:left;">SSH：远程连接</td> <td style="text-align:left;">用户名枚举、爆破</td></tr> <tr><td style="text-align:left;">23</td> <td style="text-align:left;">Telnet：远程连接</td> <td style="text-align:left;">爆破</td></tr> <tr><td style="text-align:left;">53</td> <td style="text-align:left;">DNS：域名系统</td> <td style="text-align:left;">DNS域传送\DNS缓存投毒\DNS欺骗\利用DNS隧道技术刺透防火墙</td></tr> <tr><td style="text-align:left;">389</td> <td style="text-align:left;">LDAP</td> <td style="text-align:left;">未授权访问（通过LdapBrowser工具直接连入）</td></tr> <tr><td style="text-align:left;">445</td> <td style="text-align:left;">SMB服务</td> <td style="text-align:left;">爆破、ms17_010远程代码执行</td></tr> <tr><td style="text-align:left;">873</td> <td style="text-align:left;">rsync服务</td> <td style="text-align:left;">未授权访问</td></tr> <tr><td style="text-align:left;">1090/1099</td> <td style="text-align:left;">Java-rmi</td> <td style="text-align:left;">JAVA反序列化远程命令执行漏洞</td></tr> <tr><td style="text-align:left;">1433</td> <td style="text-align:left;">MSSQL</td> <td style="text-align:left;">SQL注入、SA弱口令爆破</td></tr> <tr><td style="text-align:left;">1521</td> <td style="text-align:left;">Oracle</td> <td style="text-align:left;">SQL注入、TNS爆破</td></tr> <tr><td style="text-align:left;">2049</td> <td style="text-align:left;">NFS</td> <td style="text-align:left;">配置不当</td></tr> <tr><td style="text-align:left;">2181</td> <td style="text-align:left;">ZooKeeper服务</td> <td style="text-align:left;">未授权访问</td></tr> <tr><td style="text-align:left;">3306</td> <td style="text-align:left;">MySQL</td> <td style="text-align:left;">注入、爆破、Web目录写shell</td></tr> <tr><td style="text-align:left;">3389</td> <td style="text-align:left;">RDP</td> <td style="text-align:left;">爆破、CVE-2019-0708远程代码执行</td></tr> <tr><td style="text-align:left;">4848</td> <td style="text-align:left;">GlassFish控制台</td> <td style="text-align:left;">爆破：控制台弱口令、认证绕过</td></tr> <tr><td style="text-align:left;">5900</td> <td style="text-align:left;">VNC</td> <td style="text-align:left;">爆破弱口令、认证绕过</td></tr> <tr><td style="text-align:left;">6379</td> <td style="text-align:left;">Redis</td> <td style="text-align:left;">未授权访问、爆破弱口令</td></tr> <tr><td style="text-align:left;">7001</td> <td style="text-align:left;">WebLogic中间件</td> <td style="text-align:left;">反序列化、控制台弱口令+部署war包</td></tr> <tr><td style="text-align:left;">9043</td> <td style="text-align:left;">WebSphere控制台</td> <td style="text-align:left;">控制台弱口令https://:9043/ibm/console/logon.jsp、远程代码执行</td></tr> <tr><td style="text-align:left;">9200/9300</td> <td style="text-align:left;">Elasticsearch服务</td> <td style="text-align:left;">远程代码执行</td></tr> <tr><td style="text-align:left;">11211</td> <td style="text-align:left;">Memcache</td> <td style="text-align:left;">未授权访问（nc -vv 目标 IP 11211）</td></tr> <tr><td style="text-align:left;">27017</td> <td style="text-align:left;">MongoDB</td> <td style="text-align:left;">未授权访问、爆破弱口令</td></tr> <tr><td style="text-align:left;">50000</td> <td style="text-align:left;">SAP</td> <td style="text-align:left;">远程代码执行</td></tr> <tr><td style="text-align:left;">50070</td> <td style="text-align:left;">hadoop</td> <td style="text-align:left;">未授权访问</td></tr></tbody></table> <p>Web端口：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>80,81,82,443,5000,7001,7010,7100,7547,7777,7801,8000,8001,8002,8003,8005,8009,8010,8011,8060,8069,8070,8080,8081,8082,8083,8085,8086,8087,8088,8089,8090,8091,8161,8443,8880,8888,8970,8989,9000,9001,9002,9043,9090,9200,9300,9443,9898,9900,9998,10002,50000,50070
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>服务器：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>21,22,445,3389,5900
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>数据库：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>1433,1521,3306,6379,11211,27017
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="互联网敏感信息收集">互联网敏感信息收集 <a href="#互联网敏感信息收集" class="header-anchor">#</a></h2> <h3 id="邮箱发现">邮箱发现 <a href="#邮箱发现" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、网站官网页面
2、爱企查等批量查询
3、https://hunter.io
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>然后使用<code>SNETCracker</code>爆破SMTP和POP3</p> <h3 id="源码发现">源码发现 <a href="#源码发现" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>1、Github
2、Gitee
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>可能有些源码中会存在账号信息</p> <h3 id="文档发现">文档发现 <a href="#文档发现" class="header-anchor">#</a></h3> <p>百度文库：https://wenku.baidu.com</p> <p>原创力文档：https://max.book118.com</p> <p>凌风云：https://wenku.lingfengyun.com</p> <h3 id="账号信息">账号信息 <a href="#账号信息" class="header-anchor">#</a></h3> <p>搜索引擎：Google、百度</p> <p>百度贴吧</p> <p>天涯论坛</p> <h2 id="边界入口打点">边界入口打点 <a href="#边界入口打点" class="header-anchor">#</a></h2> <h3 id="一、弱口令-文件上传">一、弱口令+文件上传 <a href="#一、弱口令-文件上传" class="header-anchor">#</a></h3> <p>事实证明弱口令还是存在很多的，大多是一些正在开发测试的站点</p> <p>弱口令进去后台，找文件上传点Getshell</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>Web后台：admin、123456、111111、admin@123、654321、000000、qazwsx
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="二、高危组件">二、高危组件 <a href="#二、高危组件" class="header-anchor">#</a></h3> <div class="language- line-numbers-mode"><pre class="language-text"><code>Shiro反序列化（jsp写的登录框）
Weblogic反序列化（T3和IIOP协议反序列化导致的代码执行）
Struts2命令执行（很少见了-重点关注016、045和046）
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h3 id="三、oa办公平台">三、OA办公平台 <a href="#三、oa办公平台" class="header-anchor">#</a></h3> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>致远OA（Seeyon）
通达OA（Tongda）
泛微OA（Weaver）
蓝凌OA（Landray）

RCE、文件上传、SQL注入等历史漏洞
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><h3 id="四、sql注入">四、SQL注入 <a href="#四、sql注入" class="header-anchor">#</a></h3> <p>SQL注入解出密码进后台或者直接shell</p> <p>高校类的站点有很多Asp和PHP的网站，在登录、注册、查询功能处存在SQL注入漏洞可能性较大。</p> <h3 id="五、vpn-邮箱">五、VPN &amp; 邮箱 <a href="#五、vpn-邮箱" class="header-anchor">#</a></h3> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>通过信息收集和社工的方式获取目标的VPN账号，直接到内网
注意收集目标邮箱，尝试破解进去一个，可以获得大量资料，或者精准邮件钓鱼
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/" class="prev router-link-active"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        分类简介
      </a></span> <span class="next"><a href="/knowledge/hw/agent.html">
        构建通道漫游内网
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/53.8013048c.js" defer></script>
  </body>
</html>